[87616] in North American Network Operators' Group
Re: Compromised machines liable for damage?
daemon@ATHENA.MIT.EDU (Owen DeLong)
Thu Dec 29 08:22:47 2005
Date: Thu, 29 Dec 2005 05:20:41 -0800
From: Owen DeLong <owen@delong.com>
To: Valdis.Kletnieks@vt.edu
Cc: Douglas Otis <dotis@mail-abuse.org>,
"Steven M. Bellovin" <smb@cs.columbia.edu>, NANOG <nanog@merit.edu>
In-Reply-To: <200512291051.jBTAp78L022543@turing-police.cc.vt.edu>
Errors-To: owner-nanog@merit.edu
--==========45A985D2B9D654F7C0E3==========
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
--On December 29, 2005 5:51:04 AM -0500 Valdis.Kletnieks@vt.edu wrote:
> On Wed, 28 Dec 2005 13:20:51 PST, Owen DeLong said:
>
>> Denying patches doesn't tend to injure the trespassing user so much as
>> it injures the others that get attacked by his compromised machine.
>> I think that is why many manufacturers release security patches to
>> anyone openly, while restricting other upgrades to registered users.
>
> Color me cynical, but I thought the manufacturers did that because a
> security issue has the ability to convince non-customers that your
> product sucks, while other bugs and upgrades only convince the sheep that
> already bought the product that the product is getting Even
> Better!(tm).....
That could be a factor, but, I know first hand from the legal departments
of at least two software "manufacturers" that it was at least a factor
in the decision, and, they do have concerns about being liable for
damages caused by security flaws in their software.
Owen
--
If it wasn't crypto-signed, it probably didn't come from me.
--==========45A985D2B9D654F7C0E3==========
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFDs+Ktn5zKWQ/iqj0RApQoAKCO570+HPjU8cUlpUhmdDNcvcShlwCfYiwl
4j4yPY1iQk41Cw8Enfbst0g=
=eFh6
-----END PGP SIGNATURE-----
--==========45A985D2B9D654F7C0E3==========--
